Hi Shane,
Thanks for your detailed reply, the point I am trying to highlight is the
changes in TCP for DNS which is "TCP out of order packet delivery, i.e. the

On Thu, Dec 1, 2016 at 7:01 PM, Shane Kerr <sh...@time-travellers.org>

> Tariq,
> At 2016-12-01 12:50:16 +0500
> Tariq Saraj <tariqsa...@gmail.com> wrote:
> > My question is that, at one side "Specification for DNS over Transport
> > Layer Security (TLS) i.e. RFC7858" is a proposed standard now.
> > Whereas, on the other side in the "draft-ietf-dprive-dnsodtls-13",
> > The motivations for proposing DNS-over-DTLS are that
> >
> >    o  TCP suffers from network head-of-line blocking, where the loss of
> >       a packet causes all other TCP segments to not be delivered to the
> >       application until the lost packet is re-transmitted.  DNS-over-
> >       DTLS, because it uses UDP, does not suffer from network head-of-
> >       line blocking.
> > In the very next point of this draft it is also mentioned that " However,
> > with TCP Fast Open [RFC7413], the implementation can achieve the same RTT
> > efficiency as DTLS."
> > In addition to that, in the recent IETF97 meeting regarding the DNS
> privacy
> > they have presented a technique of OOOP for TCP.
> > So, why the community still need DTLS for DNS?
> TCP Fast Open does not work for the first connection between hosts.
> This makes it effective in cases where you expect repeated connections
> (such as in the stub to resolver case), but possibly less effective in
> cases where you do not expect repeated connections, or where you
> expect connections to happen a long time apart.
> Further, the specific drawback is about the case of lost packets. Since
> TCP (and thus TLS) is a stream-oriented protocol, it cannot deliver
> data until all packets in the sequence are available. So if packet #2 is
> lost, packets #3, #4, and all later packets cannot be delivered to the
> application until packet #2 is re-sent. DTLS, since it is a datagram
> protocol, does not have this limitation.
> To be honest, there has not been a strong push for DNS over DTLS. Even
> with DNS over DTLS, we need DNS over TLS as a fallback in the case of
> truncation. So adding DNS over DTLS is always an extra cost. It might
> be that DNS over DTLS is worth the extra code and complexity, but I
> think it is safe to say that we do not have enough operational
> experience yet to know for sure.
> Cheers,
> --
> Shane

Tariq Saraj
Riphah Institute of Systems Engineering, Islamabad
dns-privacy mailing list

Reply via email to